Sudo support with `ci:debug`

[schneems]

Currently if you try to sudo into a ci:debug instance, it will not sudo you onto a pipeline as well:

⛄  2.4.1 🚀  ~/documents/projects/tmp/drawbotics-staging (support)
$ heroku sudo ci:debug
 ▸    You do not have access to this pipeline.

Then if you do sudo yourself into the app, it can still fail

$ heroku sudo access:add richard@heroku.com -a drawbotics-staging
Adding richard@heroku.com access to the app drawbotics-staging... done
$ heroku sudo ci:debug
Preparing source... done
Creating test run... done
 ▸    Test run creation failed while undefined with message "Unable to create test app: your role collab on the team drawbotics-dev is not allowed to perform that action."

If you try to do this manually you can run into the issue of hitting limits:

[schneems]

Instead of doing this on a customer's app we can copy their config to another app and run ci:

heroku sudo api get /pipelines/<their-pipeline>/stage/test/config-vars -v 3.pipeline | heroku api patch /pipelines/<your-pipeline>/stage/test/config-vars -v 3.pipelines

Like

heroku sudo api get /pipelines/<their-pipeline>/stage/test/config-vars -v 3.pipeline | heroku api patch /pipelines/c396ba24-a49a-4d11-b43f-0a50d5ac0fdb/stage/test/config-vars -v 3.pipelines

[schneems]

This didn't work because it copied over database url values which rails (thank goodness) won't let you blow away the entire contents of a database with a thing like rake db:schema:load.

[gudmundur]

I'm not quite sure how we should tackle this one. Since CI depends on Pipelines and GitHub Sync, there is quite a few API calls that have to happen. GitHub Sync does not support sudo and we have to be careful about how we add support for that. Since we have need to interact with the GitHub API using customer GitHub tokens, there are security concerns that I don't think we can just bypass. We have been talking on the team about how to tackle this to lessen our support burden of our services.